b"                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report\n\nSubject:\n\n\n\n\n                    AUDIT OF THE USAJOBS\n               SYSTEM DEVELOPMENT LIFECYCLE\n                           FY 2012\n                                         Report No. 4A-HR-00-12-044\n\n\n                                         Date:                 ____________    ___\n                                                               September 28, 2012\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n                              U.S. OFFICE OF PERSONNEL MANAGEMENT\n                               -------------------------------------------------------------\n\n                                         AUDIT OF THE USAJOBS\n                                    SYSTEM DEVELOPMENT LIFECYCLE\n                                                FY 2012\n\n                                                  --------------------------------\n                                                    WASHINGTON, D.C.\n\n\n\n\n                                         Report No. 4A-HR-00-12-044\n\n\n                                                                9/28/12\n\n\n\n\n                                                                                                      Date:   ____________ ___\n\n\n\n\n                                                                                     ______________________\n                                                                                     Michael R. Esser\n                                                                                     Assistant Inspector General\n                                                                                        for Audits\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                   Executive Summary\n\n\n                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                      -------------------------------------------------------------\n\n                              AUDIT OF THE USAJOBS\n                         SYSTEM DEVELOPMENT LIFECYCLE\n                                     FY 2012\n\n                                    --------------------------------\n                                      WASHINGTON, D.C.\n\n\n\n\n                              Report No. 4A-HR-00-12-044\n\n\n                               Date:            ____________\n                                                9/28/12      __\n\n\nThe objectives of this audit were to assess the system development lifecycle (SDLC)\nmethodology of USAJOBS and to determine if any lessons learned from the USAJOBS 3.0\ndeployment could be applied to future system implementation projects at the U.S. Office of\nPersonnel Management (OPM). OPM has been historically plagued with failed and troubled\nsystem implementation projects, and we believe that weak SDLC practices have played a major\nrole in this.\n\nOur audit evaluated SDLC elements such as requirements gathering, infrastructure change\nmanagement, application change management, and testing. We looked at both the controls that\nwere in place at the time of system deployment in October 2011, and also the controls that have\nbeen implemented and improved in the nine months since deployment.\n\nAlthough our audit revealed some specific weaknesses in the original USAJOBS SDLC and\nsome recommendations to improve current procedures, we believe that the overall methodology\nhas improved significantly and that the system is operating with a stable change management\nprocess.\n\n\n                                                   i\n\x0cOur primary concern relates to the fact that the entire USAJOBS SDLC methodology was\ndeveloped independent of any agency-wide requirements or guidance \xe2\x80\x93 because no current\nguidance exists at OPM. Although OPM\xe2\x80\x99s internal website contains policies and procedures\nrelated to SDLC, many of these documents have not been updated in over 10 years, and they are\nnot routinely used to manage current development projects.\n\nAfter reviewing our draft audit report, the Office of the Chief Information Officer (OCIO)\nnotified us of recent and ongoing efforts to create a current SDLC policy. While we\nacknowledge that creating a policy is a significant first step in implementing a centralized SDLC\nmethodology at OPM, the policy will need additional updating in order to address the specific\ndeficiencies identified in this report. In addition, policy alone will not improve the historically\nweak SDLC management capabilities of OPM.\n\nWe recommend that the OCIO establish an SDLC review process in which the OCIO must\nreview and formally approve SDLC work at various milestones for all OPM system\nimplementation projects. All of our audit recommendations related to a centralized SDLC\nprogram at OPM should remain open until this process has been fully implemented and evidence\ncan be produced to indicate that the new policies are actively enforced.\n\nIn addition to our concerns about OPM's overall SDLC management, this audit discovered the\nfollowing controls in place and opportunities for improvement specific to the USAJOBS system:\n\n\xe2\x80\xa2   We reviewed system requirements of USAJOBS and determined that they were well\n    documented and organized. Nothing came to our attention to indicate that there were any\n    deficiencies in the OCIO\xe2\x80\x99s requirements gathering methodology for USAJOBS.\n\n\xe2\x80\xa2   The OCIO generally has good controls related to infrastructure change management.\n    However, we were unable to independently verify that all infrastructure changes were\n    formally approved. We also determined that the OCIO has not yet implemented a process to\n    routinely audit the actual configuration of its servers to ensure that they are compliant with\n    the approved baseline.\n\n\xe2\x80\xa2   The OCIO has implemented a thorough change management process to facilitate changes to\n    the USAJOBS application. However, we noticed an inconsistency in the way change\n    requests were approved and recommend that the OCIO develop a policy that outlines what\n    individuals can make formal approvals at various stages in the USAJOBS application change\n    management process.\n\n\xe2\x80\xa2   Prior to its deployment, USAJOBS 3.0 was subject to rigorous testing from a variety of\n    sources. However, the test environment available in the weeks prior to deployment did not\n    have the full set of data that would be loaded to the production environment. OPM\n    experienced great difficulty in cleanly transferring the data from the old Monster\n    Government Solutions (MGS) system to the new USAJOBS 3.0. These difficulties were\n    driven by the weak contract language that did not require MGS to provide OPM with the\n    system details that would facilitate a more graceful transition of data.\n\n\n                                                 ii\n\x0c\xe2\x80\xa2   Most of the issues experienced in the first week after the deployment of USAJOBS 3.0 were\n    related to an unprecedented number of users stressing the system\xe2\x80\x99s resources. The OCIO\n    provided us with evidence indicating that they did perform a variety of stress tests on\n    USAJOBS prior to launch. However, the system was unable to handle the unprecedented\n    number of users that attempted to access the system once it went live. We believe that the\n    OCIO should analyze and document the lessons learned from this experience and apply them\n    toward future system development projects at OPM.\n\n\xe2\x80\xa2   The testing process for USAJOBS has consistently improved since the system\xe2\x80\x99s deployment\n    and is now functioning adequately.\n\n\n\n\n                                              iii\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\nExecutive Summary ......................................................................................................................... i\nIntroduction and Background ..........................................................................................................1\nObjectives ........................................................................................................................................1\nScope and Methodology ..................................................................................................................1\nCompliance with Laws and Regulations..........................................................................................2\nResults ..............................................................................................................................................3\n   A.         SDLC Overview ............................................................................................................... 3\n   B.         Requirements Gathering................................................................................................... 4\n   C.         Infrastructure Configuration and Change Management ................................................... 5\n   D.         Application Change Management .................................................................................... 6\n   E.         Testing .............................................................................................................................. 7\nMajor Contributors to this Report ..................................................................................................12\nAppendix: The Office of the Chief Information Officer's August 7, 2012 response to the draft\n          audit report, issued July 18, 2012.\n\x0c                          Introduction and Background\n\nUSAJOBS is the federal government\xe2\x80\x99s official one-stop source for Federal jobs and employment\ninformation. The USAJOBS website provides public notice of Federal employment\nopportunities to Federal employees and United States citizens. USAJOBS is cooperatively\nowned by the federal Chief Human Capital Officer (CHCO) council.\n\nIn 2003, OPM contracted with Monster Government Services (MGS) to host and maintain the\nUSAJOBS system. In 2010, the Office of Personnel Management (OPM) and the CHCO\nCouncil made the decision to not renew its contract with MGS and to bring USAJOBS in-house\nat OPM. One element of this decision was based on the fact that two separate security breaches\nat MGS led to the disclosure of sensitive USAJOBS data.\n\nIn October 2011, OPM launched USAJOBS 3.0. This new version of USAJOBS was developed\nby various members of the CHCO council with primary contributions from OPM, the\nDepartment of Homeland Security, and the Department of Defense. USAJOBS 3.0 is hosted at\nOPM\xe2\x80\x99s data center in Macon, Georgia and is maintained by two divisions of OPM\xe2\x80\x99s Office of\nthe Chief Information Officer (OCIO): the application business owners \xe2\x80\x93 USAJOBS Program\nOffice, and the development and technical infrastructure support team \xe2\x80\x93 Human Resources Tools\nand Technology (HRTT.)\n\nWhen USAJOBS 3.0 was deployed, the system became flooded with an unprecedented number\nof users trying to access the public website. The system\xe2\x80\x99s communications lines did not have the\nbandwidth to manage the traffic and many users experienced a variety of errors that resulted\nfrom dropped network communications, or were unable to access the system altogether. These\nissues led to a public outcry from the media and by the general population via the USAJOBS\nsocial networking websites. Furthermore, the House of Representatives Committee on Oversight\nand Government Reform questioned the OPM Director about the agency\xe2\x80\x99s ability to manage\nlarge information system development projects.\n\n                                        Objectives\nThe objectives of this audit were to assess the SDLC methodology of USAJOBS and to\ndetermine if any lessons learned from the USAJOBS 3.0 deployment could be applied to future\nOPM system implementation projects. These objectives were met by reviewing the following\nelements of the USAJOBS project:\n\n\xe2\x80\xa2   Requirements Gathering;\n\xe2\x80\xa2   Infrastructure Change Management;\n\xe2\x80\xa2   Application Change Management; and,\n\xe2\x80\xa2   Testing.\n\n                               Scope and Methodology\nThis performance audit was conducted by the Office of the Inspector General (OIG) in\naccordance with Government Auditing Standards, issued by the Comptroller General of the\n\n\n                                               1\n\x0cUnited States. Accordingly, the audit included an evaluation of related policies and procedures,\ncompliance tests, and other auditing procedures that we considered necessary. The audit\ndocumented the controls in place for USAJOBS as of July 2012.\n\nWe considered the USAJOBS internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nOur audit evaluated SDLC elements such as requirements gathering, infrastructure change\nmanagement, application change management, and testing. We looked at both the controls that\nwere in place at the time of system deployment in October 2011, and also the controls that have\nbeen implemented and improved in the nine months since deployment.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nDetails of our audit findings and recommendations are located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this\nreport. Since our audit would not necessarily disclose all significant matters in the internal\ncontrol structure, we do not express an opinion on the USAJOBS system of internal controls\ntaken as a whole.\n\nThe audit was conducted from February through July 2012 in OPM\xe2\x80\x99s Washington, D.C.\nheadquarters building.\n\n                        Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether OPM\xe2\x80\x99s management of\nUSAJOBS is consistent with applicable standards. Nothing came to our attention during this\nreview to indicate that OPM is in violation of relevant laws and regulations.\n\n\n\n\n                                                2\n\x0c                                           Results\nThe sections below provide a summary of our audit findings and recommendations related to the\nSDLC of USAJOBS and OPM\xe2\x80\x99s overall SDLC methodology.\n\nA. SDLC Overview\n\n   We reviewed the USAJOBS SDLC to verify that the OCIO has implemented adequate\n   controls to ensure that the system continues to operate smoothly and to prevent reoccurrences\n   of the problems that occurred in the first few days after the system was deployed. OPM has\n   been historically plagued with failed and troubled system implementation projects, and we\n   believe that weak SDLC practices have played a major role in this.\n\n   Our audit evaluated SDLC elements such as requirements gathering, infrastructure change\n   management, application change management, and testing. We looked at both the controls\n   that were in place at the time of system deployment in October 2011, and also the controls\n   that have been implemented and improved in the nine months since deployment.\n\n   Although the sections below detail some specific weaknesses in the original USAJOBS\n   SDLC and some recommendations to improve current procedures, we believe that the overall\n   methodology has improved significantly and that the system is operating with a stable change\n   management process.\n\n   Our primary concern relates to the fact that the entire USAJOBS SDLC methodology was\n   developed independent of any agency-wide requirements or guidance \xe2\x80\x93 because no current\n   guidance exists at OPM. Although OPM\xe2\x80\x99s internal website contains policies and procedures\n   related to SDLC, many of these documents have not been updated in over 10 years, and they\n   are not routinely used to manage current development projects. System development at OPM\n   has become a decentralized process managed by the individual program offices that own and\n   operate information systems. Our audits of these various projects have revealed significant\n   inconsistencies in the methodology and quality of SDLC management.\n\n   We believe that the OCIO needs to develop current policies and procedures that outline the\n   minimum requirements of critical SDLC components. The OCIO should also take an active\n   oversight role in all systems development projects in the agency, and establish a formal\n   SDLC review team that must review SDLC work at various milestones or checkpoints and\n   formally approve the project to move forward.\n\n   Recommendation 1\n   We recommend that the OCIO develop an agency-wide SDLC methodology with specific\n   policies and procedures that must be followed for all system development projects at OPM.\n   The policies and requirements should consider the various approaches to system\n   implementation (build-from-scratch, commercial software, etc.) routinely used by OPM.\n\n\n\n\n                                               3\n\x0c   OCIO Response:\n   \xe2\x80\x9cThe Office of CIO has updated the Information Technology Systems Manager (ITSM)\n   standards to reflect an agency-wide system development life cycle (SDLC) methodology.\n   The update is called \xe2\x80\x98OPM System Development Life Cycle Policy and Standards.\xe2\x80\x99 The\n   policy document applies to all OPM programs with an IT component, regardless of\n   funding type and amount. It is to be used in conjunction with ITSM templates and will\n   replace other ITSM documentation and addresses various approaches to system\n   implementation routinely used by OPM . . . . This document has completed final reviews\n   and is undergoing Web Team preparation to be published on the agency public website\n   (www.opm.gov) in the near future. The templates, which are to be used with it, are\n   currently located on THEO at http://theo.opm.gov/itsm/Templ.asp.\xe2\x80\x9d\n\n   OIG Reply:\n   We agree that the new OPM System Development Life Cycle Policy and Standards\n   document is a significant first step in implementing a centralized SDLC methodology at\n   OPM. However, the policy will need additional updating in order to address the specific\n   deficiencies identified in this report. Additionally, policy alone will not improve the\n   historically weak SDLC management capabilities of OPM. This recommendation should\n   remain open until the SDLC review process (see Recommendation 2) has been fully\n   implemented and evidence can be produced to indicate that the new policies are actively\n   enforced.\n\n   Recommendation 2\n   We recommend that the OCIO establish an SDLC review process in which the OCIO must\n   review and formally approve SDLC work at various milestones for all OPM system\n   implementation projects. The minimum elements that the OIG believes should be\n   incorporated into this review process are detailed in Recommendations 3, 7, and 8, below.\n\n   OCIO Response:\n   \xe2\x80\x9cWe will review the new SDLC Policy and Standards document and the templates\n   described above to identify appropriate responsibility for approval of SDLC work at\n   various milestones.\xe2\x80\x9d\n\n   OIG Reply:\n   In addition to identifying appropriate personnel to approve SDLC work at various\n   milestones, the OCIO should update the SDLC policy to provide details of these milestones\n   and the requirements and deliverables for each.\n\nB. Requirements Gathering\n\n   After the decision was made to in-source USAJOBS, OPM faced the task of documenting the\n   functional requirements of the system. Due to weak language in the original contract with\n   MGS, OPM did not have access to the source code, database schemas, data values, tables,\n   etc., of the existing USAJOBS system operated by MGS. Therefore, engineers in the OCIO\n   had to reverse-engineer the functional elements of the system to document its requirements.\n\n\n\n\n                                              4\n\x0c   Using the Agile system development lifecycle approach, the developers and the business\n   owners worked together to develop specific functional requirements in the form of \xe2\x80\x9cuser\n   stories.\xe2\x80\x9d\n\n   We reviewed the original set of user stories and determined that the original requirements of\n   USAJOBS appeared to be well documented. Nothing came to our attention to indicate that\n   there were any deficiencies in the OCIO\xe2\x80\x99s requirements gathering methodology for\n   USAJOBS.\n\n   However, the methodology successfully used by the USAJOBS program office was\n   implemented by the system\xe2\x80\x99s developers and business owners and was independent of any\n   agency-wide policy, procedures, or guidance. We have reviewed a variety of failed and\n   troubled systems implementation projects at OPM and have often found that poor\n   requirements gathering and documentation contributed to the failure.\n\n   Recommendation 3\n   As part of the recommended SDLC review process, we recommend that the OCIO develop a\n   policy that provides guidance on requirements gathering for new information systems and\n   outlines minimum documentation requirements.\n\n   OCIO Response:\n   \xe2\x80\x9cPlease see the new SDLC Policy and Standards document, attached.\xe2\x80\x9d\n\n   OIG Reply:\n   We acknowledge the fact that the new SDLC Policy addresses requirements gathering.\n   However, the policy should be updated to outline the requirements and deliverables related to\n   this milestone in the SDLC process. This recommendation should remain open until the\n   SDLC review process (see Recommendation 2) has been fully implemented and evidence can\n   be produced to indicate that the new requirements gathering policies are actively enforced.\n\nC. Infrastructure Configuration and Change Management\n\n   The OCIO generally has good controls related to infrastructure change management.\n   However, we did note two opportunities for improvement in this area.\n\n   The OCIO maintains a detailed inventory of the computer hardware that supports the\n   USAJOBS system infrastructure, and has developed a detailed baseline configuration that\n   outlines a standard secure configuration for both application and web servers.\n\n   All changes to the approved configuration have been documented for all USAJOBS servers.\n   However, we were unable to independently verify that all changes were formally approved.\n   We selected a sample of USAJOBS infrastructure changes and asked the OCIO for evidence\n   that these changes were approved. The OCIO\xe2\x80\x99s response indicated that many of the changes\n   were approved verbally or via informal e-mail. Although we have no reason to believe that\n   these changes were not verbally approved, the OCIO should begin to formally document this\n   communication so that there is an auditable trail of approval activity.\n\n\n\n                                               5\n\x0c   In addition, the OCIO has not yet implemented a process to routinely audit the actual\n   configuration of its servers to ensure that they are compliant with the approved baseline.\n   Routine configuration audits would alert the OCIO of any changes that were made outside of\n   the standard change management process.\n\n   Recommendation 4\n   We recommend that the OCIO develop and implement a procedure to formally document\n   approvals for USAJOBS infrastructure changes (changes made to server configurations).\n\n   OCIO Response:\n   \xe2\x80\x9cOn July 30, the USAJOBS Configuration Management Plan was updated to outline\n   formal approvals for USAJOBS infrastructure changes. Specifically, future changes to\n   server configurations will be approved in writing by the Chief, Systems Capacity Branch\n   (SCB), HRTT. The records of these approvals will be stored with the HRTT SCB.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCIO provide OPM\xe2\x80\x99s\n   Internal Oversight and Compliance Office (IOC) with evidence that the Configuration\n   Management Plan was updated and that the subsequent infrastructure changes were approved\n   in writing.\n\n   Recommendation 5\n   We recommend that the OCIO develop and implement a procedure to routinely audit the\n   actual configuration of the USAJOBS servers and compare the settings to the approved\n   baseline configuration.\n\n   OCIO Response:\n   \xe2\x80\x9cA thorough annual review of the USAJOBS configuration is conducted by the USAJOBS\n   Designated Security Officer (DSO) and the HRTT SCB as required by the HRTT\n   Information Technology (IT) Security Standard Operating Procedure (SOP). The DSO\n   also receives and reviews a monthly report of the servers, software versions, and\n   configurations. The USAJOBS Configuration Management Plan has been updated to\n   include this review activity for USAJOBS configuration changes and comparison with\n   approved baseline configurations.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCIO provide IOC with\n   evidence that the Configuration Management Plan was updated and that a configuration audit\n   has been conducted.\n\nD. Application Change Management\n\n   The OCIO has implemented a thorough change management process to facilitate changes to\n   the USAJOBS application. A software product,                                 is used to\n   manage system requirements and the status of all changes to the application. contains\n\n\n\n\n                                             6\n\x0c   the details of all existing features of the system and also a \xe2\x80\x9cbacklog\xe2\x80\x9d of fixes and\n   enhancements that are being developed for future releases.\n\n   Both the developers (HRTT) and the business owners (USAJOBS Program Office) have\n   access to      and both use this product to facilitate real-time communication on the status\n   of individual work items.      is also used to track the various approvals that are required\n   throughout the application change process.\n\n   We selected a sample of application changes and viewed the history of these items within\n         All changes in the sample were subject to formal approvals within        However, we\n   did notice an inconsistency in the way these items were approved. Some work items were\n   approved by the business owners and others were approved by individuals that worked on the\n   development staff. The OCIO explained that none of the developers that actually worked on\n   coding a work item were involved in approving that change (which would be a conflict of\n   interest). Although the OCIO\xe2\x80\x99s explanations of these anomalies seems reasonable, there is\n   no formal policy describing who can approve various types of application changes, and we\n   were therefore unable to independently verify that these approvals were appropriate.\n\n   Recommendation 6\n   We recommend that the OCIO develop a policy that outlines which individuals can make\n   formal approvals at various stages in the USAJOBS application change management process.\n\n   OCIO Response:\n   \xe2\x80\x9cWhile there was a standard operating procedure in place, it was not formally\n   documented. On July 27, the USAJOBS Release Management SOP was updated to address\n   the steps performed in      to track development work as it moves from one stage of the\n   process through the next. It outlines which approvals are represented and who is required\n   to perform the action.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCIO provide IOC with\n   evidence that the Release Management SOP was updated to address this recommendation.\n\nE. Testing\n\n   We evaluated the OCIO\xe2\x80\x99s methodology for testing USAJOBS prior to its deployment and\n   also the testing process currently in place today.\n\n   Pre-deployment functionality testing\n\n   Prior to its deployment, USAJOBS 3.0 was subject to rigorous testing from a variety of\n   sources. The OCIO maintains evidence that the system was tested by developers, business\n   owners, users, and also by external vendors whose systems interface with USAJOBS.\n\n   All pre-deployment test plans had passed before the system went live. However, the test\n   environment available in the weeks prior to deployment did not have the full set of data that\n\n\n\n                                                 7\n\x0cwould be loaded to the production environment. OPM experienced great difficulty in cleanly\ntransferring the data from the old MGS system to the new USAJOBS 3.0. These difficulties\nwere driven by the weak contract language that did not require MGS to provide OPM with\nthe system details that would facilitate a more graceful transition of data. Therefore, most of\nthe pre-deployment testing occurred in a test environment that, while fully functional, did not\nhave all of the data that would be present in production.\n\nAs a result, pre-deployment tests could not reveal all anomalies in the system. This was a\nparticular problem for the testing of location codes (i.e., the search engine\xe2\x80\x99s ability to\nrecognize abbreviations and alternate spellings of locations and provide accurate results).\nFor example, test searches for Ft. Meade, MD and Fort Meade, Maryland may not produce\nconsistent results because the limited test environment data didn\xe2\x80\x99t include any job postings\nfrom that area. The full set of clean data was not loaded to the system until just before the\ndeployment date, and the OCIO did not have time to start the testing process over. Delaying\nthe release of the system to conduct further testing would have cost OPM $500,000 per\nmonth in contract extension fees with MGS.\n\nAlthough no current audit recommendations can address the problems that occurred with\nUSAJOBS, we believe that the OCIO should take steps to prevent testing related issues from\noccurring in future system development projects.\n\nRecommendation 7\nAs part of the recommended SDLC checkpoint process, we recommend that the OCIO\nimplement a policy that provides general guidance and minimum requirements for pre-\ndeployment testing. The policy should also require all new systems to undergo testing in a\nfully functional test environment with a full set of data prior to system launch.\n\nOCIO Response:\n\xe2\x80\x9cSee the new SDLC Policy and Standards document, attached. It addresses testing\nrequirements. (See, for example, section 4.2.5 \xe2\x80\x98Build System Components Phase\xe2\x80\x99, p. 23,\nand Appendix D.4, p. 86 \xe2\x80\x93 97. See also Appendix D.2, \xe2\x80\x98Define System Requirements Phase\nActivities\xe2\x80\x99, p. 66 \xe2\x80\x93 78.) Such sections provide general guidance, including checklists of\nactivities for testing. We will evaluate the new SDLC Policy and Standards document, and\nwill consider other options as well, to determine the best approach for establishing\nminimum requirements for pre-deployment testing.\xe2\x80\x9d\n\nOIG Reply:\nWe acknowledge the fact that the new SDLC Policy addresses system testing at a high level.\nHowever, the policy should be updated to outline the requirements and deliverables for\ntesting-related milestones in the SDLC process. This recommendation should remain open\nuntil the SDLC review process (see Recommendation 2) has been fully implemented and\nevidence can be produced to indicate that the testing requirements are being actively\nenforced.\n\n\n\n\n                                             8\n\x0cPre-deployment stress testing\n\nMost of the issues experienced in the first week after the deployment of USAJOBS 3.0 were\nrelated to an unprecedented number of users stressing the system\xe2\x80\x99s resources. The OCIO\nprovided us with evidence indicating that they did perform a variety of stress tests on\nUSAJOBS prior to launch. The system was able to successfully process a traffic load that\nsimulated the busiest day on USAJOBS under the prior operator.\n\nHowever, the system was unable to handle the unprecedented number of users that attempted\nto access the system once it went live. Although the servers and databases were not\noperating at capacity, the communications lines did not have the bandwidth necessary to\nmanage the traffic. As a result, users experienced a variety of errors that resulted from\ndropped packets or were unable to access the system altogether.\n\nAnother issue that added stress to the system was the fact that every USAJOBS user was\nrequired to change their password upon first login to the new USAJOBS 3.0 system. This\nwas a result of MGS not having to transfer existing password data to OPM (see reference to\nweak contract language in section A, above).\n\nWithin a week of the system\xe2\x80\x99s deployment, OPM contracted with a content delivery network\nsolution provider whose services drastically reduced the stress on OPM\xe2\x80\x99s communication\nlines. USAJOBS is now operating at about 10-12% capacity on the communications lines.\n\nThe system is now stable and no current audit recommendation would be relevant to\nUSAJOBS stress testing. However, in hindsight it is easy to recognize the variables that led\nto the unprecedented traffic that USAJOBS experienced (for example: the advertisement of a\n\xe2\x80\x9cnew jobs site\xe2\x80\x9d in a weak economy, the fact that users were unable to access the system for\nalmost a week prior to launch, and search engine spiders exploring and archiving the new\nwebsite.) We believe that the OCIO should analyze and document the lessons learned from\nthis experience and apply them toward future system development projects at OPM.\n\nRecommendation 8\nAs part of the recommended SDLC checkpoint process, we recommend that the OCIO\ndevelop a policy that outlines the minimum requirements for stress testing of a new\ninformation system.\n\nOCIO Response\n\xe2\x80\x9cPlease see the new SDLC Policy and Standards document, attached. As noted in response\nto Recommendation 7, above, it addresses testing requirements, and provides general\nguidance and checklists of activities for testing. We will evaluate the new SDLC Policy\nand Standards document, and will consider other options as well, to determine the best\napproach for establishing minimum requirements for stress testing of new information\nsystems.\xe2\x80\x9d\n\n\n\n\n                                           9\n\x0cOIG Reply:\nWe acknowledge the fact that the new SDLC Policy addresses system testing at a high level.\nHowever, the policy should be updated to outline the requirements and deliverables for\ntesting-related milestones in the SDLC process. This recommendation should remain open\nuntil the SDLC review process (see Recommendation 2) has been fully implemented and\nevidence can be produced to indicate that the testing requirements are being actively\nenforced.\n\nCurrent testing process\n\nWe evaluated the OCIO\xe2\x80\x99s procedures for testing post-deployment changes to USAJOBS by\nreviewing testing documentation for all modifications made to USAJOBS since its initial\nrelease. Although portions of the testing process were inconsistent and not well documented\nin the first months after the system\xe2\x80\x99s deployment, we believe that the testing methodology\nhas consistently improved and is now functioning adequately.\n\nAll changes to the USAJOBS application are subject to testing from both the development\n(HRTT) and the business owner (USAJOBS program office) sides. Each side has its own\nunique testing methodology. The program office testing methodology has been consistent\nand well documented since the beginning of the USAJOBS 3.0 project, and we were able to\nreview detailed test scripts and results for every change. However, the testing process for the\nHRTT developers has evolved since the initial release of USAJOBS 3.0.\n\nWhile we have no reason to doubt that HRTT has tested all post-deployment changes to\nUSAJOBS, the testing activity was poorly documented for early changes to the system.\nThere are several changes where no testing-related documentation exists (testing activity was\ncommunicated verbally), and others where testing was documented via informal e-mails\nsimply stating \xe2\x80\x9cthe test passed.\xe2\x80\x9d In addition, these early changes were not tested with\nformally documented test scripts.\n\nHRTT has recently implemented a software package that helps it manage change testing\nactivity. This software allows the developers to document a detailed test script complete\nwith expected results. The system also allows the developers to mark items as \xe2\x80\x9cpassed\xe2\x80\x9d once\nthey have been successfully tested, thereby creating an auditable record of testing activity.\n\nWe reviewed the completed test plan for the latest release of updates to USAJOBS.\nAlthough we did not detect any anomalies in the recent testing documentation we believe\nthat, since this process is relatively new, it should be subject to further monitoring to ensure\nthat it is functioning appropriately. We also believe that the OCIO should formalize and\ndocument its now-stable testing methodology to ensure that all future changes are tested and\ndocumented consistently.\n\nRecommendation 9\nWe recommend that the OCIO provide IOC with the developer test plans and documented\nresults for the next two releases/updates of USAJOBS.\n\n\n\n\n                                             10\n\x0cOCIO Response\n\xe2\x80\x9cWe will provide test documentation for Release 3.3 and 3.4 upon completion of 3.4 and\ndeployment by August 31, 2012.\xe2\x80\x9d\n\nRecommendation 10\nWe recommend that the OCIO develop a testing policy for USAJOBS that outlines all of the\nelements that need to be documented for all testing activity (test plans, test scripts, results,\netc.)\n\nOCIO Response\n\xe2\x80\x9cThe USAJOBS Program Office drafted this policy for the program in February 2012,\nhowever, it was never completed. The USAJOBS Program Office and HRTT will jointly\nwork together to update our Testing Plan to specifically outline testing artifacts, activities,\nand the location of these records for audit purposes. We estimate that we can complete this\nactivity by December 31, 2012.\xe2\x80\x9d\n\n\n\n\n                                             11\n\x0c                          Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                    , Senior Team Leader\n\n\n\n\n                                              12\n\x0c\x0cCIO Response: The new SDLC Policy and Standards document, mentioned above, describes\nphases and methods and identifies responsibility for approval of many SDLC products. (Unlike\nthe ITSM, which did not address Agile process, the new SDLC Policy and Standards document\nrequires that for Agile (Scrum) methodology there be Stage Gate Reviews of monthly milestones\nso that performance can be determined. See Appendix F.6 of the new SDLC document.)\n\nWe will review the new SDLC Policy and Standards document and the templates described\nabove to identify appropriate responsibility for approval of SDLC work at various milestones.\n\nRecommendation 3 states, \xe2\x80\x9cAs part of the recommended SDLC review process, we recommend\nthat the OCIO develop a policy that provides guidance on requirements gathering for new\ninformation systems and outlines minimum documentation requirements.\xe2\x80\x9d\n\nCIO Response: Please see the new SDLC Policy and Standards document, attached.\n\nInfrastructure Configuration and Change Management\nRecommendation 4 asked that the Office of the Chief Information Officer (OCIO) develop and\nimplement a procedure to formally document approvals for USAJOBS infrastructure changes\n(changes made to server configurations).\n\nCIO Response: On July 30, the USAJOBS Configuration Management Plan was updated to\noutline formal approvals for USAJOBS infrastructure changes. Specifically, future changes to\nserver configurations will be approved in writing by the Chief, Systems Capacity Branch (SCB),\nHRTT. The records of these approvals will be stored with the HRTT SCB.\n\nRecommendation 5 recommended that the OCIO develop and implement a procedure to\nroutinely audit the actual configuration of the USAJOBS servers and compare the settings to the\napproved baseline configuration.\n\nCIO Response: A thorough annual review of the USAJOBS configuration is conducted by the\nUSAJOBS Designated Security Officer (DSO) and the HRTT SCB as required by the HRTT\nInformation Technology (IT) Security Standard Operating Procedure (SOP). The DSO also\nreceives and reviews a monthly report of the servers, software versions, and configurations. The\nUSAJOBS Configuration Management Plan has been updated to include this review activity for\nUSAJOBS configuration changes and comparison with approved baseline configurations.\n\nApplication Change Management\nRecommendation 6 recommended that the OCIO develop a policy that outlines what\nindividuals can make formal approvals at various stages in the USAJOBS application change\nmanagement process.\n\nCIO Response: While there was a standard operating procedure in place, it was not formally\ndocumented. On July 27, the USAJOBS Release Management SOP was updated to address the\nsteps performed in        to track development work as it moves from one stage of the process\nthrough the next. It outlines which approvals are represented and who is required to perform the\naction.\n\n                                                2\n\x0c\x0cWe appreciate continued support of the USAJOBS program and the CIO SDLC initiatives.\n\nAttachment\n\n      -    OPM System Development Life Cycle Policy and Standards, v. 1.0, June 2012\n\n\n\n\ncc:\n          Director, Integrated Hiring Systems\n          Office of the Chief Information Officer\n\n\n          Chief, IT Investment Management\n          Office of the Chief Information Officer\n\n\n          Chief, Information Security and Privacy\n          Office of the Chief Information Officer\n\n\n          Director\n          Internal Oversight and Compliance\n\n\n\n\n                                                    4\n\x0c"